Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ruan_Kotze
Advisor
Jump to solution

How is VPN traffic excluded via crypt.def routed?

Hi Checkmates,

I've got a scenario whereby I've got a star community with all traffic routed through the center.

I've got a requirement now to break out SMTP traffic to a specific destination locally at one of the spokes (and at that spoke only - all other spokes should still encrypt and send through the center). 

In the event that I exclude a specific source / destination / service via crypt.def, would traffic then obey a policy route on the gateway or would it still be sent to the center, but in cleartext?  The spoke in question is a Quantum spark running 80.20.50 in case it's relevant.

Is there perhaps a better way of doing this than fiddling with crypt.def and INSPECT syntax?  FWIW this is the syntax I'm looking to implement:

#ifndef NON_VPN_TRAFFIC_RULES
#ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (src=192.168.1.10,dst=1.2.3.4,dport=25)
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif
#endif

Thanks,
Ruan

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

This "hack" to crypt.def ensures the specified traffic is NOT encrypted (i.e. sent through VPN) and it should be sent according to the normal routing table.
Unfortunately, there isn't a cleaner way to do this currently.
And, because you're talking SMB gateways, make sure the change is made to the appropriate "Backward Compatibility" directory version of crypt.def.

View solution in original post

6 Replies
the_rock
Legend
Legend

I could be mistaken, but I believe if you modify crypt.def, it would be sent in clear, maybe someone else can confirm 100%. Actually, I dont believe TAC would ever recommend you to do something like this, but I saw customer once create VPN rule to block traffic they did NOT want going through the tunnel (they just placed it above accept vpn rule). Personally, I only saw that one time and never again. Most people just do it by modifying the file you mentioned.

PhoneBoy
Admin
Admin

This "hack" to crypt.def ensures the specified traffic is NOT encrypted (i.e. sent through VPN) and it should be sent according to the normal routing table.
Unfortunately, there isn't a cleaner way to do this currently.
And, because you're talking SMB gateways, make sure the change is made to the appropriate "Backward Compatibility" directory version of crypt.def.

Klemen1310
Explorer

Hello,

I have a similar issue which is on location A I have a SMB Quantum spark running  80.20.50 which has established IPsec tunnel to location B which is a Cluster of 3600 appliances. All traffic is routed through center which is cluster. On location A I have a device with local IP 192.168.15.245 which traffic should not be going through tunnel but directly to internet from location A.

How should I write my crypt.def ?

 

#ifndef NON_VPN_TRAFFIC_RULES
#ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (src=192.168.15.245) 
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif
#endif

 

Looking forward to your reply,

Klemen

 

0 Kudos
Ruan_Kotze
Advisor

Hi Klemen, as per above we did this successfully for one of our clients, I'll see if I can get a sanitized copy and post it here.

0 Kudos
Klemen1310
Explorer

Hello,

should I open new ticket or are you still trying to get sanitized copy ? 

0 Kudos
Ruan_Kotze
Advisor

Hi Klemen,

This is what we used (need was to exclude SMTP traffic from a specific host from the tunnel):

#ifndef NON_VPN_TRAFFIC_RULES
#ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (src=192.168.10.10,dport=25)
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif
#endif

Also refer to the below to SK's (depending on the gateway platform you need to modify different files on the SMS etc.)

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Thanks,
Ruan

0 Kudos